Zendoric
← Back to the day · July 11, 2026

Zero trust was designed for humans: agentic AI forces us to watch the data, not just the identity

🕒 Published on Zendoric: July 11, 2026 · 00:27

NetApp CPO Syam Nair argues that identity- and network-based zero trust models don't work for agents that decide and act on their own, at machine speed. His prescription: govern data in real time, not just authenticate once. An early warning that the next wave of cybersecurity will be fought at the metadata layer.

🎧 Listen to the analysis
🎉 We're already a big community — and growing every dayJoin the readers who never miss the AI analysis that sets the momentum. Subscribe free.

We'll send you a confirmation email (double opt-in). Privacy.

By BankInfoSecurity · July 10, 2026.

Syam Nair, chief product officer at NetApp and former CTO of Zscaler with stints at Salesforce and Microsoft, has put forward in an interview with ISMG a simple but uncomfortable thesis for much of the security industry: zero trust as we know it —point-in-time authentication, static permissions, identity and network control— was designed for people, not for AI agents that reason, query multiple data sources, and trigger workflows on their own. According to Nair, traditional copilots and chatbots operate under continuous human supervision; agents no longer do. That means a single wrong decision can cascade across a company's systems before anyone notices. His concrete proposal is to extend zero-trust principles down to the data layer: instead of validating credentials once and trusting throughout the session, organizations need continuous governance that evaluates in real time the agent's intent, the business context, and the sensitivity of the information it is touching. "The human role does not disappear, it evolves," Nair sums up. "Humans remain accountable for what the AI does."

It is a message that comes from someone who sells data infrastructure, so it is worth reading through the usual filter: NetApp has a direct commercial interest in companies investing in metadata governance. But the underlying diagnosis is not marketing, it is a logical consequence of how agents work: classic security architecture assumes that whoever enters with a valid credential behaves in a reasonably predictable way for a while. An autonomous agent is not that. It switches tasks, chains tool calls, and accesses data that not even the agent itself knew it would need when it started the session. Authenticating once and letting it run is, in that context, an invitation for a reasoning failure —or a prompt-injection attack— to turn into a leak or an irreversible action before a human can step in.

This connects to something we have been observing in coverage of agentic-systems security: the control layer is shifting from the model itself to the plumbing around it. It is no longer enough to assess how good a model is on a benchmark; what determines the real risk of a deployment is how permissions are governed among agent, model, and tools, and how granularly each access to sensitive data is audited. It is the same logic pushing protocols like MCP to incorporate finer permission controls, or leading discussions about token spending and agent observability to be treated today as a governance problem, not just an engineering one. Nair's proposal —moving zero trust from the identity perimeter to the data itself, using metadata to decide in real time whether a query makes sense given the context— is one more piece of that same movement: the security of agentic AI is becoming a data-governance problem, not an authentication one.

In the short term this is added work, and expensive: building continuous governance on top of metadata requires cataloging, tagging, and monitoring volumes of data that most companies do not even have well inventoried, plus redesigning access architectures that for years have taken the classic identity model for granted. Organizations that rush to deploy agents without solving this first expose themselves to a risk that is not hypothetical: a permissions failure in an autonomous agent can be amplified at scale. But the underlying direction fits the thesis we hold at Zendoric: agentic AI does not get halted, it gets governed. The companies that invest now in that control layer —even if it slows deployments in the short term— will be the ones able to scale agents with confidence when the technology, inevitably, becomes more capable and cheaper. Security, properly understood, is not the brake on the abundance AI promises; it is the condition for that abundance to arrive without an out-of-control agent taking down a bank's or a hospital's data along the way.

🔗 Related on Zendoric

Sources & references

Get the analysis by email · free

One email a day analysing the AI essentials. Free, no spam, unsubscribe anytime.

We'll send you a confirmation email (double opt-in). Privacy.